I have worked within CESG on protecting government information as man and boy for over 20 years!! In that time I have witnessed a remarkable transformation in how HMG manages, protects and shares information. In the last few years, in particular, the rate of change - with the dash for all things digital – has been staggering.
The fantastic opportunities that the digital age affords us all in both our personal or professional lives bring with them more than a few headaches. Cyber-attacks are one of the top four threats to our national security and cyber-crime is costing the economy billions of pounds every year.
How we manage the risks to all the information out there in cyber space, whether it’s health records or the infrastructure that keeps the lights on is a challenging question? And talking of cyber space, it’s probably worth reiterating the Cabinet Office definition just so we are all on the same page…
‘Cyberspace – an interactive domain made up of digital networks that is used to store, modify and communicate information. It includes the internet and also other information systems that support our business, infrastructure and services’
….so by extension, cyber security is the security of those digital networks and the information they hold.
It’s my firm view that people are at the heart of the cyber security solution. We need people with the right knowledge, skills and the capability to apply them effectively.
A recognised information assurance/cyber security profession has been a bit of a crusade of mine for a good few years and I recall that, back in 2009, we had a vision “that in five years’ time we will have increased the level of IA awareness and professionalism across government and its supply chains”.
So, here we are, five years later in 2014. Have we achieved that vision? In my role now as Deputy Director for HMG's National Technical Authority for Information Assurance, I can say with some pride that we (and I use ‘we’ as a collective which includes our partners in government departments, industry, professional bodies and academia) have made good progress – here’s how:
The CESG Certified Professional (CCP) scheme
I hope this will be familiar to some of you already. CCP is building a community of recognised, competent UK cyber security professionals. Launched initially to government cyber security professionals in September 2012 and subsequently made available to industry professionals in September 2013, there have been over 1,200 certificates awarded to over 920 individuals to date with many more going through the system.
The journey to get us to this point has not always been easy but I do believe that, with CCP in place, we have definitely increased the level of IA/cyber security professionalism as set out in our vision of 2009. There is more to do, of course and we can’t afford to become complacent. We recognise that CCP has still to attain default status within government - something which I am really keen to achieve – and we’d like to see much more take-up in industry.
So why CCP?
What sets CCP apart from the myriad of existing industry schemes is that it is a certification of a person’s competence to apply their skills, knowledge and experience in the work place. In other words, they have provided evidence that they can do the job rather than just provided a string of qualifications.
So my plea to you is three-fold. Firstly, if you are responsible for employing or buying in IA professionals, make sure they have CCP in the roles that you require. Secondly, if you are already an IA professional working in government, please put yourself forward for CCP and thirdly, if we haven’t got the right roles for you, we’d like to know.
CESG Certified Training (CCT)
CCT is a new scheme and I have lost count of the number of times I have been asked which IA courses I would recommend and so, in order to provide some clarity (and save my blushes), CESG is inviting training providers to submit their courses to be judged against a CESG-approved standard for both course content and delivery. The assessment will be carried out by a CESG-appointed Certification Body - APM Group – and is based on the IISP supplemented skills framework. The real benefit of CCT is that it helps people to identify which training courses are most relevant for their current role and is part of an overall learning pathway into a CCP role or wider profession. It also provides budget holders with a high degree of assurance that a CESG Certified Training course is appropriate for the role and that it is delivered to an approved standard.
So, you can see that there is a lot going on but still much more to do. CCP and CCT provide great opportunities for people to improve their skills and gain a recognised certification of competence and, from an employer’s perspective, you can rest a little easier that the people in your team have the right skills, knowledge and experience to do the challenging job of protecting your information and systems.
I think that will do for now. If I’m invited back to do another blog I’d like to tell you a bit about the exciting work we are doing with academia.
If you’d like any more information on the range of CESG/GCHQ initiatives, please email firstname.lastname@example.org and we’ll see if we can help.